General
-
Target
Payment Advice.vbs
-
Size
52KB
-
Sample
230212-yenv8sfe3v
-
MD5
3111ae1b6a9e1c173eaf3a7bda34ca7f
-
SHA1
c2a6e03871105706b5889bd1078a402efc67a268
-
SHA256
3a8e672d0d59855db74d28528c41684357e7e534312f8feb3908c5e4d5856678
-
SHA512
5533f1ca1c0588d2fee1b9aa0c1977ac539ebe86db30b1d022239fbc3276e9d87a4c79a399ae68e37a039acac95f7a703ff23070596a7643a33c17baeab79af1
-
SSDEEP
768:r+1VMDvbrLLMAedsaNLQnxeP+Fs4ofdESVBrps/7hk1+N52K:rvLLYAeCaNMxefwDh
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.vbs
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Payment Advice.vbs
Resource
win10v2004-20220901-en
Malware Config
Extracted
http://megookbpnq.cf/Kvin.snp
Targets
-
-
Target
Payment Advice.vbs
-
Size
52KB
-
MD5
3111ae1b6a9e1c173eaf3a7bda34ca7f
-
SHA1
c2a6e03871105706b5889bd1078a402efc67a268
-
SHA256
3a8e672d0d59855db74d28528c41684357e7e534312f8feb3908c5e4d5856678
-
SHA512
5533f1ca1c0588d2fee1b9aa0c1977ac539ebe86db30b1d022239fbc3276e9d87a4c79a399ae68e37a039acac95f7a703ff23070596a7643a33c17baeab79af1
-
SSDEEP
768:r+1VMDvbrLLMAedsaNLQnxeP+Fs4ofdESVBrps/7hk1+N52K:rvLLYAeCaNMxefwDh
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-